[Snort-users] BASE 1.4.x updates?

Randal T. Rioux randy at ...13561...
Fri Feb 18 16:17:13 EST 2011


On 2/18/2011 12:34 PM, Jefferson, Shawn wrote:
> Hi,
> 
> I have hacked in support of StreamDB and OpenFPC into my own BASE
> 1.4.x (screenshot attached), which simplifies several steps I was
> going through when analyzing events.  If anyone is interested, let me
> know, and I can post what I've changed and added (it's not pretty,
> but it works!)
> 
> Is development on BASE 1.4.x now stopped in favor of BASE 2.0?  I've
> made several mods to the BASE that I'm using and I'd like to see
> these ideas brought into BASE (2.0 for sure, ideally backported to
> 1.4.5 if 2.0 is still way off):
> 
> 1. Support for more links on the base_stat_ipaddr page, specifically,
> the ability to call a URL with specific parameters (like computer
> name, etc..)  I'm using this to link to a systems management product
> that gives more detail on the computer in question.
> 
> 2. Further on this idea, I have changed base_stat_ipaddr to just show
> the patch/update information directly from my systems management
> product-this is a great time saving feature, as you are looking
> through an event, and wonder if that software is even installed on
> that asset, or that patch is missing or not.
> 
> 3. A way to link to a function (that the user would provide) that
> takes the CVE from the rule/alert as a parameter, and returns TRUE or
> FALSE.  The function could lookup the CVE in a systems management
> product (that's what I'm doing), or anything else (Nessus scan
> results stored in a file or database).  Use this value to highlight
> those alerts where the attack matches the vulnerability.  (Currently
> I show these in red to highlight them.)

Dev on 1.x has pretty much stopped, but I can add these changes to the
CVS (in fact, I'd love to). Send the bits to me privately and we'll take
it from there. Perhaps we can squeeze out a new release with this and
some other changes I have.

BASE has new management, but nothing has been started yet.

Thanks!
Randy




More information about the Snort-users mailing list